To avoid overlooking some issues, here is a summary of last two days bugs and fixes:
Summary of bugs report and fixes, Whonix-Host 15.0.0.3.6
A. Already fixed
1. Virtual Machine Manager/KVM
- Blacklisted llc module: fixed and merged (see Update uncommon-network-protocols.conf by onions-knight · Pull Request #29 · Kicksecure/security-misc · GitHub)
- By default, the VMs do no start until the CPU configuration is set to host +
Error starting domain: unsupported configuration: host doesn't support paravirtual spinlocksfixed (see Error starting domain: unsupported configuration: host doesn't support paravirtual spinlocks - #5 by onion_knight) but needs merging (see pull request Update install by onions-knight · Pull Request #92 · Kicksecure/libvirt-dist · GitHub)
3. Whonix-Host install on HDD
- Grub menu also provides a Debian-Live option, although it does not work → fixed and merged by not removing live-boot packages from the host install in calamares (see pull request Update packages.conf.whonix by onions-knight · Pull Request #91 · Kicksecure/libvirt-dist · GitHub)
4. Miscellaneous
- Theming lacks arc-icons (currently using Adwaita icons, not so bad IMHO) → not an option, so fixed
B. still needs work
1. Virtual Machine Manager/KVM
- New issue with virt-manager (both on ISO and install target):
Error connecting to graphical console: Error opening Spice console, SpiceClientGTK missing→
can be fixed by installinggir1.2-spiceclientgtk-3.0and needed dependencies (apt install --no-install-recommends gir1.2-spiceclientgtk-3.0) (didn’t do a pull request yet as I don’t know exactly where it goes)
2. Calamares Installer
- Needs correct branding → to be done (see also: Whonix Host Calamares Branding Suggestion)
- Does it work in EFI mode? Needs more testing → to be done
3. Whonix-Host install on HDD
- at least one of the kernel hardening boot parameters somehow messes with the CPU detection on the host → to be done (needs further testing, see also Kernel Hardening - security-misc - #153 by Patrick)
- the installed system has no virtual console root access. Very unpractical, especially for a host system. Maybe consider reverting back this recent change for the Whonix-Host version? (see also Restrict root access - #64 by Patrick) → to be discussed
4. Miscellaneous
- power-manager plugin + pulseaudio plugin → task open (⚓ T928 install xfce4-power-manager on Whonix Host and Kicksecure Host)
- The Whonix Host should be graphically differentiated from the Whonix-VMs. Maybe simply a different background image/color? → to be done, see Whonix Desktop Installer with Calamares - field report - #114 by Patrick)
- Somehow a user
userwas created during the build although it should be avoided at all costs (messes with live-useruserconfig + is being copied over onto the host install) → to be verified/fixed (I am currently rebuilding a whonix-host machine to see if this error still happen. Didn’t do a pull request yet as I don’t know exactly what to change)
-
By default, the VMs do not start because the virtual disks are not set to readonly → in discussion (⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on)
-
Currently the live system in ISO mode provides a live-user account with passwordless sudo rights → can be fixed by adding
live-config.norootto live ISO boot parameters (but then we need to change calamares polkit to allow its execution by sudoless user)
@Patrick if you want to open new tasks on phabricator and assign me some, please be aware that I have just recreated an account (previous credentials lost): onion_knight2, waiting for your approval 